tweak插件开发
1、连接手机 usb或者wifi 通过ssh连手机
2、ps -A查看所有应用
ps -A
找到目标应用
3、导出目标应用到mac端
scp -r -p 12345 root@localhost:/System/Library/CoreServices/SpringBoard.app
拷贝成功
4.导出头文件
加载进内存中Macho文件为已解密Macho 可直接导出有文件
class-dump -H SpringBoard -o sps/
导出成功
5.cy或者lldb调试
6.Monkey写tweak插件
- 新建logos tweak项目
新建tweak项目
2.配置注入程序
Package/Library/MobileSubstrate/DynamicLibraries/BadgeTweak.plist 文件 Filter/Bundles 字段 可多个程序注入
配置注入程序
3.配置打包信息
Build Setiings -> 搜索MONKEY
image.png
打包配置
连接信息
安装生效配置
- 免配置连接信息
- monkey配置
修改zshrc文件 monkey环境配置在zshrc,不在base_profile
vi ~./zshrc
在Monkey环境变量下插入 设备ip和设备端口,保存生效即可,在monkey项目中可不用再配置设备ip和设备端口
插入设备ip和设备端口
- theos 配置
theos 项目目录必须为英文
加入THEOS_DEVICE_IP和THEOS_DEVICE_PORT
修改base_profile theos 环境配置在base_profile文件中
vi ~./base_profile
配置theos设备ip和端口
tweak插件原理
tweak插件打包deb,安装到手机后
在手机Library/MobileSubstrate/DynamicLibraries目录下
有dylid文件和plist配置文件
deb包安装目录
手机控制台查看注入进程
插件注入成功
tweak插件通过环境变量插入动态库到应用从而达到改变应用的目的
DYLD_INSERT_LIBRARIES 防护 tweak插件
dyld加载应用过程,是否设置限制插入动态库,如果限制限制插入动态库,所有插入动态库被设为空。
dyld判断是否限制插入动态库
-
Macho文件中__RESTRICT 字段不为空,并且值为__restrict,则设置了限制插入动态库。
判断Macho文件"__RESTRICT"字段和值"__restrict"
判断Macho文件"__RESTRICT"字段和值"__restrict"
- 设置_RESTRICT和值__restrict,设置了限制插入动态库,做防护
项目中 Build Settings -> other Linker Flags 添加字段
Build Settings -> other Linker Flags 添加
-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null
添加RESTRICT限制动态库插入
添加RESTRICT限制动态库插入 dump砸壳会失效
破解RESTRICT字段防护,破解限制动态库注入防护
- 可直接修改Macho文件中的RESTRICT来破解限制动态库注入防护。
-
Synalyze it! Pro 工具修改
image.png
image.png
- MachoView 工具修改
MachoView修改
修改完签名被破坏,需要重新签名。
dyld加载,限制动态库注入防护检测
RESTRICT字段限制动态库注入防护升级
防止macho文件中RESTRICT被修改,从而防护失效
注意 iOS10 以后,苹果的LYLD 不再检测 RESTRICT字段了,改方法不适应iOS10以后
防护相关的检测,bool类型!!
#import
#import
#if __LP64__
#define macho_header mach_header_64
#define LC_SEGMENT_COMMAND LC_SEGMENT_64
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT
#define LC_ENCRYPT_COMMAND LC_ENCRYPTION_INFO
#define macho_segment_command segment_command_64
#define macho_section section_64
#else
#define macho_header mach_header
#define LC_SEGMENT_COMMAND LC_SEGMENT
#define LC_SEGMENT_COMMAND_WRONG LC_SEGMENT_64
#define LC_ENCRYPT_COMMAND LC_ENCRYPTION_INFO_64
#define macho_segment_command segment_command
#define macho_section section
#endif
+(void)load
{
const struct mach_header_64 * header = _dyld_get_image_header(0);//我自己??
if (hasRestrictedSegment(header)) {
NSLog(@"防止Tweak注入状态!!");
}else{
NSLog(@"被修改了!!");//做相应处理
}
}
static bool hasRestrictedSegment(const struct macho_header* mh){
const uint32_t cmd_count = mh->ncmds;
const struct load_command* const cmds = (struct load_command*)(((char*)mh)+sizeof(struct macho_header));
const struct load_command* cmd = cmds;
for (uint32_t i = 0; i < cmd_count; ++i) {
switch (cmd->cmd) {
case LC_SEGMENT_COMMAND:
{
const struct macho_segment_command* seg = (struct macho_segment_command*)cmd;
printf("seg name: %s\n", seg->segname);
if (strcmp(seg->segname, "__RESTRICT") == 0) {
const struct macho_section* const sectionsStart = (struct macho_section*)((char*)seg + sizeof(struct macho_segment_command));
const struct macho_section* const sectionsEnd = §ionsStart[seg->nsects];
for (const struct macho_section* sect=sectionsStart; sect < sectionsEnd; ++sect) {
if (strcmp(sect->sectname, "__restrict") == 0)
return true;
}
}
}
break;
}
cmd = (const struct load_command*)(((char*)cmd)+cmd->cmdsize);
}
return false;
}
}
白名单检测防护
#import
#import
+(void)load
{
HKCheckWhitelist();
}
bool HKCheckWhitelist(){
int count = _dyld_image_count();//原app加载了多少数量
for (int i = 0; i < count; i++) {
//遍历拿到库名称!
const char * imageName = _dyld_get_image_name(i);
// libraries(白名单)是否包含imageName库名,var/mobile/Containers/Bundle/Application目录为应用本身不检测,
if (!strstr(libraries, imageName)&&!strstr(imageName, "/var/mobile/Containers/Bundle/Application")) {
printf("该库非白名单之内!!\n%s",imageName);
// return NO;
}
}
return YES;
}
const char * libraries = "/var/mobile/Containers/Bundle/Application/AD8D84E6-E893-4C96-A29A-FBD13AF4B461/WhitelistDemo.app/WhitelistDemo/Library/MobileSubstrate/MobileSubstrate.dylib/Developer/usr/lib/libBacktraceRecording.dylib/Developer/Library/PrivateFrameworks/DTDDISupport.framework/libViewDebuggerSupport.dylib/System/Library/Frameworks/Foundation.framework/Foundation/usr/lib/libobjc.A.dylib/usr/lib/libSystem.B.dylib/System/Library/Frameworks/UIKit.framework/UIKit/usr/lib/libextension.dylib/usr/lib/libarchive.2.dylib/usr/lib/libicucore.A.dylib/usr/lib/libxml2.2.dylib/usr/lib/libz.1.dylib/System/Library/Frameworks/CoreFoundation.framework/CoreFoundation/System/Library/Frameworks/CFNetwork.framework/CFNetwork/System/Library/Frameworks/SystemConfiguration.framework/SystemConfiguration/System/Library/Frameworks/Security.framework/Security/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit/usr/lib/libCRFSuite.dylib/usr/lib/liblangid.dylib/usr/lib/libc++abi.dylib/usr/lib/libc++.1.dylib/usr/lib/system/libcache.dylib/usr/lib/system/libcommonCrypto.dylib/usr/lib/system/libcompiler_rt.dylib/usr/lib/system/libcopyfile.dylib/usr/lib/system/libcorecrypto.dylib/usr/lib/system/introspection/libdispatch.dylib/usr/lib/system/libdyld.dylib/usr/lib/system/liblaunch.dylib/usr/lib/system/libmacho.dylib/usr/lib/system/libremovefile.dylib/usr/lib/system/libsystem_asl.dylib/usr/lib/system/libsystem_blocks.dylib/usr/lib/system/libsystem_c.dylib/usr/lib/system/libsystem_configuration.dylib/usr/lib/system/libsystem_containermanager.dylib/usr/lib/system/libsystem_coreservices.dylib/usr/lib/system/libsystem_coretls.dylib/usr/lib/system/libsystem_dnssd.dylib/usr/lib/system/libsystem_info.dylib/usr/lib/system/libsystem_kernel.dylib/usr/lib/system/libsystem_m.dylib/usr/lib/system/libsystem_malloc.dylib/usr/lib/system/libsystem_network.dylib/usr/lib/system/libsystem_networkextension.dylib/usr/lib/system/libsystem_notify.dylib/usr/lib/system/libsystem_platform.dylib/usr/lib/system/libsystem_pthread.dylib/usr/lib/system/libsystem_sandbox.dylib/usr/lib/system/libsystem_trace.dylib/usr/lib/system/libunwind.dylib/usr/lib/system/libvminterpose.dylib/usr/lib/system/libxpc.dylib/usr/lib/libbz2.1.0.dylib/usr/lib/liblzma.5.dylib/usr/lib/libMobileGestalt.dylib/usr/lib/libsqlite3.dylib/usr/lib/libenergytrace.dylib/usr/lib/libbsm.0.dylib/System/Library/PrivateFrameworks/UIFoundation.framework/UIFoundation/System/Library/PrivateFrameworks/IOSurface.framework/IOSurface/System/Library/PrivateFrameworks/PowerLog.framework/PowerLog/System/Library/PrivateFrameworks/HangTracer.framework/HangTracer/usr/lib/liblockdown.dylib/System/Library/PrivateFrameworks/MobileKeyBag.framework/MobileKeyBag/System/Library/PrivateFrameworks/UserNotificationServices.framework/UserNotificationServices/System/Library/PrivateFrameworks/FrontBoardServices.framework/FrontBoardServices/System/Library/PrivateFrameworks/BaseBoard.framework/BaseBoard/System/Library/PrivateFrameworks/CoreUI.framework/CoreUI/System/Library/Frameworks/CoreVideo.framework/CoreVideo/System/Library/Frameworks/OpenGLES.framework/OpenGLES/System/Library/Frameworks/VideoToolbox.framework/VideoToolbox/System/Library/PrivateFrameworks/MobileAsset.framework/MobileAsset/System/Library/PrivateFrameworks/BackBoardServices.framework/BackBoardServices/System/Library/Frameworks/CoreImage.framework/CoreImage/System/Library/PrivateFrameworks/DictionaryServices.framework/DictionaryServices/System/Library/PrivateFrameworks/GraphicsServices.framework/GraphicsServices/System/Library/Frameworks/CoreGraphics.framework/CoreGraphics/System/Library/Frameworks/ImageIO.framework/ImageIO/System/Library/Frameworks/QuartzCore.framework/QuartzCore/System/Library/PrivateFrameworks/SpringBoardServices.framework/SpringBoardServices/System/Library/PrivateFrameworks/AppSupport.framework/AppSupport/System/Library/Frameworks/CoreText.framework/CoreText/System/Library/PrivateFrameworks/TextInput.framework/TextInput/System/Library/Frameworks/MobileCoreServices.framework/MobileCoreServices/System/Library/PrivateFrameworks/WebKitLegacy.framework/WebKitLegacy/System/Library/PrivateFrameworks/WebCore.framework/WebCore/System/Library/PrivateFrameworks/ProofReader.framework/ProofReader/usr/lib/libAccessibility.dylib/System/Library/Frameworks/Accelerate.framework/Accelerate/System/Library/PrivateFrameworks/PhysicsKit.framework/PhysicsKit/System/Library/PrivateFrameworks/IOMobileFramebuffer.framework/IOMobileFramebuffer/System/Library/PrivateFrameworks/IOSurfaceAccelerator.framework/IOSurfaceAccelerator/System/Library/Frameworks/Metal.framework/Metal/System/Library/PrivateFrameworks/FontServices.framework/FontServices/System/Library/PrivateFrameworks/FontServices.framework/libFontParser.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vImage.framework/vImage/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/vecLib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvDSP.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLAPACK.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libBLAS.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libvMisc.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libLinearAlgebra.dylib/System/Library/Frameworks/Accelerate.framework/Frameworks/vecLib.framework/libSparseBLAS.dylib/System/Library/PrivateFrameworks/AppleJPEG.framework/AppleJPEG/System/Library/PrivateFrameworks/GPUCompiler.framework/libmetal_timestamp.dylib/System/Library/Frameworks/OpenGLES.framework/libCoreFSCache.dylib/System/Library/PrivateFrameworks/IOAccelerator.framework/IOAccelerator/System/Library/Frameworks/OpenGLES.framework/libGFXShared.dylib/System/Library/Frameworks/OpenGLES.framework/libGLImage.dylib/System/Library/Frameworks/OpenGLES.framework/libCVMSPluginSupport.dylib/System/Library/Frameworks/OpenGLES.framework/libCoreVMClient.dylib/System/Library/PrivateFrameworks/MobileSystemServices.framework/MobileSystemServices/System/Library/PrivateFrameworks/AssertionServices.framework/AssertionServices/System/Library/Frameworks/MetalPerformanceShaders.framework/MetalPerformanceShaders/System/Library/PrivateFrameworks/Quagga.framework/Quagga/System/Library/PrivateFrameworks/FaceCore.framework/FaceCore/System/Library/Frameworks/CoreMedia.framework/CoreMedia/System/Library/PrivateFrameworks/ColorSync.framework/ColorSync/usr/lib/libiconv.2.dylib/System/Library/PrivateFrameworks/UserFS.framework/UserFS/System/Library/PrivateFrameworks/CrashReporterSupport.framework/CrashReporterSupport/System/Library/Frameworks/CoreAudio.framework/CoreAudio/System/Library/PrivateFrameworks/AggregateDictionary.framework/AggregateDictionary/usr/lib/libxslt.1.dylib/usr/lib/libmarisa.dylib/System/Library/Frameworks/JavaScriptCore.framework/JavaScriptCore/System/Library/Frameworks/AudioToolbox.framework/AudioToolbox/System/Library/PrivateFrameworks/TCC.framework/TCC/System/Library/PrivateFrameworks/LanguageModeling.framework/LanguageModeling/usr/lib/libcmph.dylib/System/Library/Frameworks/MediaAccessibility.framework/MediaAccessibility/usr/lib/libstdc++.6.dylib/Library/Frameworks/CydiaSubstrate.framework/Libraries/SubstrateLoader.dylib/Library/MobileSubstrate/DynamicLibraries/RHRevealLoader.dylib/Library/Frameworks/CydiaSubstrate.framework/CydiaSubstrate";